Another way to fend off and detect impostors is to use call sequence
checks. Call sequence checks help you protect against intruders that
somehow managed to find out the password you log into your UUCP system
with.

When using call sequence checks, both machines keep track of the number
of connections established so far. It is incremented with each
connection. After logging in, the caller sends its call sequence
number, and the callee checks it against its own number. If they don't
match, the connection attempt will be rejected. If the initial number is
chosen at random, attackers will have a hard time guessing the correct
call sequence number.

But call sequence checks do more for you than this: even if some very
clever person should detect your call sequence number as well as your
password, you will find this out. When the attacker call your UUCP feed
and steals your mail, this will increase the feeds call sequence number
by one. The next time you call your feed and try to log in, the
remote uucico will refuse you, because the numbers don't match
anymore!

If you have enabled call sequence checks, you should check your log
files regularly for error messages that hint at possible attacks.
If your system rejects the call sequence number the calling system offers
it, uucico will put a message into the log file saying something
like ``Out of sequence call rejected''. If your system is rejected by its
feed because the sequence numbers are out of sync, it will put a message
in the log file saying ``Handshake failed (RBADSEQ)''.

To enable call sequence checks, you have to add following command to the
system entry:

Beside this, you have to create the file containing the sequence number
itself. Taylor UUCP keeps the sequence number is in a file called
.Sequence in the remote site's spool directory. It must
be owned by uucp, and must be mode 600 (i.e. readable and
writable only by uucp). It is best to initialize this file with
an arbitrary, agreed-upon start value. Otherwise, an attacker might
manage to guess the number by trying out all values smaller than, say,
60.

Of course, the remote site has to enable call sequence checks as well,
and start by using exactly the same sequence number as you.